The vulnerability is a missing authorization flaw that allows users with insufficient permissions to manipulate shipping rates in the ShipTime: Discounted Shipping Rates plugin. Because the plugin fails to enforce proper access control, an attacker could add, modify, or delete discount rules, resulting in financial loss or billing inaccuracies. The weakness aligns with CWE-862, indicating a broken access control that can lead to data tampering and unauthorized privilege escalation.

Any WordPress installation that has the ShipTime: Discounted Shipping Rates plugin version 1.1.1 or earlier. The plugin is identified under the vendor product shiptime:ShipTime: Discounted Shipping Rates. No specific OS or WordPress core version constraints are noted; the issue lies solely in the plugin code. The affected range includes all builds from the earliest available version up to and including 1.1.1.

The CVSS score is not supplied, and no EPSS value is available, so the exact numerical severity cannot be stated. However, the flaw is not included in the CISA Known Exploited Vulnerabilities catalog, suggesting no publicly documented exploit at this time. The likely attack vector is through Web interfaces exposed by the plugin; an attacker may access administrative endpoints without proper authentication or adequate privilege, as the access checks are omitted. Because the flaw is a direct authorization bypass, exploitation is straightforward once the plugin is present on a site.